The Importance of the Diamond Model for Cyber Threat Intelligence

The Diamond Model of Intrusion Analysis (aka the Diamond Model), written by Sergio Caltagirone, Andy Pendergast (Dataminr SVP of Cyber Product Management), and Christopher Betz, is a cornerstone of cyber threat intelligence tradecraft. 

It was released in 2013 during a highly formative period for cybersecurity, alongside other foundational frameworks and methodologies such as VERIS (2010), the Cyber Kill Chain (2011), MITRE ATT&CK® (2013), and NIST CSF (2014).

What is the Diamond Model of Intrusion Analysis?

The Diamond Model is a process used to document, analyze, and correlate intrusions by threat actors into organizational environments across network, digital, and physical domains.

At first glance, the model appears simple, which contributes to its accessibility. In practice, however, it is highly flexible and operationally powerful. As described in the original paper, the Diamond Model, “… is a mathematical framework allowing the application of game, graph, and classification/clustering theory to improve analysis and decision making.” 

The model defines four “atomic elements”:

• Adversary
• Infrastructure
• Capability
• Victim

Connecting these elements visually forms the shape of a diamond.

The framework also includes meta-features such as:

• Event
• Thread
• Group

These support broader operational analysis, including linking events into “activity threads” and combining threads into larger “activity groups.”

Applying the Diamond Model to Cyber Threat Intelligence

The Diamond Model is used to describe threat actor behaviors. The typical pattern is that an adversary “…deploys a capability over some infrastructure against a victim.” (p.7) These interactions are referred to as events.

Cyber threat intelligence (CTI) analysts collect and analyze events, populating the atomic elements with operational details tied to adversaries, infrastructure, capabilities, and victims. Through analysis of this intelligence, CTI teams develop a broader understanding of threat actor behavior and operational patterns.

Events can also be ordered chronologically because threat actors rarely act in isolation. Their operations are typically composed of a series of coordinated actions designed to achieve specific objectives.

Activity threads are constructed as adversary-victim pairs and, when combined with events, provide insights into:

• threat actor behavior
• operational objectives
• appropriate defensive or response actions

Events can also be correlated across activity threads. This allows analysts to:

• identify broader campaigns
• expose relationships across seemingly unrelated events
• identify common infrastructure or TTPs
• understand recurring operational patterns across multiple actors

The Diamond Model helps frame how CTI analysts perform operational intelligence analysis. It goes beyond simply aggregating, processing, and distributing indicators. Instead, it supports systematic analysis that helps organizations understand relationships across intrusion activity, build profiles of threat actor behavior, and operationalize intelligence more effectively.

Ultimately, the goal is to improve defensive decision-making and make it more difficult for adversaries to operate successfully against the organization, including moving higher on the Pyramid of Pain through stronger detection and protection capabilities.

Additional Diamond Model Resources

If you enjoy Star Wars, our blog applying the Diamond Model to the Battle of Yavin is also worth exploring. Additional training and educational resources on the Diamond Model are available from Sergio Caltagirone and other members of the threat intelligence community.

How Dataminr Leverages the Diamond Model

Dataminr for Cyber Defense helps operationalize many of the concepts central to the Diamond Model by connecting intelligence, relationships, and operational context into analyst workflows.

Examples include:

• Threat intelligence data models — map relationships across adversaries, campaigns, malware, infrastructure, and techniques
• Associative analysis capabilities — help analysts identify relationships between intelligence objects
• Pivoting workflows — allow analysts to explore related indicators, infrastructure, campaigns, and operational context
• Visual relationship mapping and graph analysis — support broader campaign and intrusion analysis
• APIs and integrations — support scalable operational intelligence workflows

These capabilities help analysts operationalize intelligence more efficiently while improving visibility across adversary activity and related operational context. Organizations looking to operationalize the Diamond Model within modern intelligence workflows should focus on improving how intelligence relationships, operational context, and analysis are connected across teams and systems.